Windows 2008R2 features part VI: Managed Service Accounts – delegation

In a previous entry I’ve explained how you can run services under the new Managed  Service Account. Say now that we want to use this service account in combination with Kerberos and the account needs to be trusted for delegation. We set an SPN to it, but in the Active Directory Users and Computers, we seem to be unable to find the trusted for delegation option.. Let’s take a closer look at these accounts once they have been created, to do this we’ll be using ldp.exe

Expanding base ‘CN=SA-SQL01-SQL,CN=Managed Service Accounts,DC=ROOTDOMAIN,DC=local’…
Getting 1 entries:
Dn: CN=SA-SQL01-SQL,CN=Managed Service Accounts,DC=ROOTDOMAIN,DC=local
accountExpires: 9223372036854775807 (never);
badPasswordTime: 2/4/2009 1:34:38 PM W. Europe Standard Time;
badPwdCount: 0;
cn: SA-SQL01-SQL;
codePage: 0;
countryCode: 0;
distinguishedName: CN=SA-SQL01-SQL,CN=Managed Service Accounts,DC=ROOTDOMAIN,DC=local;
dSCorePropagationData: 0x0 = ( );
instanceType: 0x4 = ( WRITE );
isCriticalSystemObject: FALSE;
lastLogoff: 0 (never);
lastLogon: 2/4/2009 1:56:18 PM W. Europe Standard Time;
lastLogonTimestamp: 2/4/2009 1:16:59 PM W. Europe Standard Time;
localPolicyFlags: 0;
logonCount: 4;
msDS-HostServiceAccountBL: CN=SQL01,CN=Computers,DC=ROOTDOMAIN,DC=local;
name: SA-SQL01-SQL;
objectCategory: CN=ms-DS-Managed-Service-Account,CN=Schema,CN=Configuration,DC=ROOTDOMAIN,DC=local;
objectClass (6): top; person; organizationalPerson; user; computer; msDS-ManagedServiceAccount;
objectGUID: 87ba9c4a-8a9b-4c13-b1f8-5986c8c5a53e;
objectSid: S-1-5-21-1621971834-463630077-1066132090-1115;
primaryGroupID: 515 = ( GROUP_RID_COMPUTERS );
pwdLastSet: 2/4/2009 1:10:57 PM W. Europe Standard Time;
sAMAccountName: SA-SQL01-SQL$;
sAMAccountType: 805306369 = ( MACHINE_ACCOUNT );
servicePrincipalName: MSSQLSVC/SQL01.ROOTDOMAIN.LOCAL:1456;
userAccountControl: 0x1000 = ( WORKSTATION_TRUST_ACCOUNT );
uSNChanged: 16557;
uSNCreated: 16544;
whenChanged: 2/4/2009 1:16:59 PM W. Europe Standard Time;
whenCreated: 2/4/2009 1:10:20 PM W. Europe Standard Time;


The SamAccountType is as you can see a machine_account, and the userAccountControl is set to Workstation_trust_Account..

Now a lot of services are now set for delegation, since we do not have the regular “Trust for Delegation” tab on the object in Active Directory, we need to set the delegation through another way. Delegation is set by the 7th bit of the UserAccountControl attribute. We see that the current one is set to 0x1000(HEX) or 4096 (DEC) as the attribute tab shows us through the Active Directory Users & Computers MMC.

tdel01

The HEX value is actually now: 0x00001000, and we need to set the 7th character to be a 1 to enable the Trusted for delegation option. The new value to put in is therefore DEC(01001000)=16781312.

Enter the new number in the UserAccountControl attribute and see the results:

userAccountControl: 0x1001000 = ( WORKSTATION_TRUST_ACCOUNT | TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION );